Announcing the Vulnerability Bug Bounty Program

It is very important to us that our games are fair for everybody, and we do not tolerate any form of cheating. Empires & Puzzles has been implemented in a way that makes cheating next to impossible. However, no solution is fool-proof, and there is always a chance of human error.

In the past, there have been a couple of cases where some players have found a way to bypass our server-side verification logic to gain an unfair advantage in the game. We have reacted to those cases by removing the advantage and/or suspending the account.

Of course, it would be even better to hear about bugs and vulnerabilities like that before they are abused. If you discover a vulnerability, it should be more tempting to report it to us than to abuse it for short term gains and risk getting your account suspended.

I am happy to announce that we are partnering with BugCrowd to make it easier - and more lucrative - to report vulnerabilities in the game. BugCrowd offers two kinds of programs. Their free program allows you to report bugs and vulnerabilities for fame, and simply because it’s the right thing to do. You can find the form of our Responsible Disclosure Program at https://www.smallgiantgames.com/white-hats.

BugCrowd also offers a private Paid Bounty program for security researchers. The rewards in that program range from a couple of hundred dollars to $4,500 or even up to $10,000 in exceptional situations.

Unfortunately, you cannot report vulnerabilities through the Paid Bounty program unless you are a registered security researcher with BugCrowd. However, we are interested in reports from the whole community and will pay a fair reward for any real vulnerabilities we end up fixing. If you report a real vulnerability through the Responsible Disclosure Program, I will make sure you are approved as a researcher by BugCrowd and will be compensated for your report.

Please note that we are most interested in vulnerabilities affecting our server-side validation. Just as an example:

  • Completing the same quest multiple times for repeated rewards
  • Abusing a bug to adjust the odds of a battle or summon in your favour
  • Training or crafting without consuming the necessary ingredients

Please note that we do reserve the right to reject reports that are not related to vulnerabilities in our server-side validation. Here are some things that we do care about, but cannot accept through the program as bugs or vulnerabilities:

  • Client-side cheating e.g. by modifying the clock speed of your device (unless it allows you to uncover holes in the logic that the server is not catching yet)
  • Using features that are working as designed to gain an advantage in the game (unless the design of the feature is unintended and we actually fix it based on your report)

If you do believe you have spotted a real bug or a vulnerability in the game, please report it through https://www.smallgiantgames.com/white-hats and if it is approved and fixed, I will make sure you get a fair compensation for your report.

31 Likes

It is not really clear to me what “fair compensation” means (how you calculate a fair compensation?) but i will do that no matter the money involved.

Good to know.

5 Likes

I am afraid that many reports will be received.

  1. The opponents have manipulated the boards.
    I lose too often.

  2. Wars are manipulated.
    We keep losing.

  3. Opponents with less TS beat my defense.

2 Likes

Easy fix for this. Block anybody that makes 5 fake or unfounded reports. This should ease the load in a while. But overall, yes, there’s gonna be raining imaginary bug reports soon :grin:

Let me get this straight, instead of spending money hiring people to find these bugs, you are spending money on people to receive the hundreds of thousands of “bugs” that people are going to report AND then “fix” those bugs? In what world does this make sense? Are there that many bugs being exploited that you need to do this?

3 Likes

The Bug Bounty program has the ranges defined. If we somebody reports a vulnerability and we fix it, the size of the bounty will be determined based on the criticality of the reported issue.

6 Likes

Here’s the prize:

Small bug = 1 hero token with a chance to get 1 dawa.

Medium bug = 5 hero token with a chance to get 5 dawas

Big bug = 10 hero token with a chance to get 10 dawas.

:hugs:
Just kidding :rofl:

11 Likes

Well getting the people who play day in day out will probably notice some things more then people who don’t. Maybe minor bugs then blanent obvious ones. Loads of people play with different heros say one heros special isn’t working on another hero how you going to find out? they can’t test every combination of hero’s as there loads.
Using actual Players is quite a good choice :+1:

This could be a legitimate vulnerability in the way the game works. I think that SG is testing ways to address this.

But yes, those others are junk. It would be nice if people could understand the difference between a vulnerability (i.e. this is a way to get something for free) vs. a display issue (e.g. a revived hero doesn’t reappear).

1 Like

I understand What you are saying. But the majority of players do not fully understand how all heroes work together. For example they may report a bug when Mitsuko and BK are on the same team and when Mitsuko’s Blue reflect is up and BKs taunt is up, the blue reflect does zero damage. Nuances like this are what the majority of “bugs” reported are going to be. A lot of what you are referencing are usually uncovered in beta. Sure it may get missed when doing an update, but again, my point is that the overwhelming majority of players are going to report hero incompatibilities as bugs instead of understanding that they are working as they are supposed to. It’s a waste of the devs time

Bug report is the last thing that need SG for improving the game… they just wanna be sure don’t lose a penny from players​:stuck_out_tongue_winking_eye::stuck_out_tongue_winking_eye::stuck_out_tongue_winking_eye:

2 Likes

I Was just using hero’s as an example sure as stated there going probably be lots of hoax or people not totally understanding things but you can prob spot them out more than others.
Probably a better example is the war one in the bugs and issues right now, only that would of been found in game play and players know its wrong. Players will notice more plus its good to have eyes everywhere really.

Can we maybe have a statistic of, let’s say the 5 most reported bugs?

I would put my money on:

1 Like

making the hacker report a hack for a chance to be hired and/or a money compensation is a good way to try to have less holes in the game’s profit (like the big server outage that could have been a hacker’s work)

thumbs up, SG!
overall is a win-win for players and SG!

3 Likes

Hi, first time posting, long time player. I couldn’t figure out how to just make a post on this forum topic, so I’m just replying to this one.

I was playing the third level of the “Trials of Shadows” quest this morning at around 0820CDT. I was on the boss stage, and had killed 1 of the 3 big bosses. I had used up 3 of my Time Stops, 3 Bomb Attacks, and 2 Potent Health Potions. I was in the middle of a big combo attack, and the game crashed and shut down. I’m playing on an iPhone X and have the game on the most up-to-date version.

Was hoping you guys could refund my 20 health and those time stops and attacks that were wasted when I re-opened the game. Very frustrating! My user name on GameCenter is cbh316.

Thanks!

Well, I’ll share my experience from last week’s tournament. I took my opponent’s tank and left wing down, so there were only left flank, right flank and right wing remaining. Suddenly Boril activated his counterattack. He was right wing, still all of the heroes had counterattack.

Left wing shouldn’t counterattack in this case, because it wasn’t next to Boril. Fortunately, I won the match, but I almost lost because of the bug. For this reason I find it important, because it’s an advantage which could cause a loss to somebody.

@mhalttu

was he costumed?

4 Likes

Hi Rigs,

Frankly, I’m not sure. That happened last week :roll_eyes: But, to tell the truth, I hadn’t noticed this difference up until now :grimacing: I admit I must have overlooked which Boril I fought against :disappointed:

Thank you :+1:

1 Like

stuff like that is pretty common to overlook, see it a lot in the bug section of the forum and have made similar mistakes myself

1 Like

Cookie Settings